Analysis
-
max time kernel
147s -
max time network
103s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
31-12-2023 04:51
Static task
static1
Behavioral task
behavioral1
Sample
28e594119e5081ef5504e241e4c72285.dll
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
28e594119e5081ef5504e241e4c72285.dll
Resource
win10v2004-20231222-en
General
-
Target
28e594119e5081ef5504e241e4c72285.dll
-
Size
823KB
-
MD5
28e594119e5081ef5504e241e4c72285
-
SHA1
794e8eae373570e15b563a0d3ae1ee042a64c313
-
SHA256
a84ce5f878d308a093823b638d997e9081a4aaae4ed8bfcad3372f99942de223
-
SHA512
6f91135533ed3e5c2294abcf631cee5e2b2f775b491ed5ca142f290653993edddac471822c4c6d2323ea0babab6dd403b04e06fbe51fbe9111c051f11422c57d
-
SSDEEP
12288:/pUcS4hKZz2f3ssC0CpK54o5FWXgiq1MNQGW0wTX8Uo/XE5Uf5VVVVJDgZh:/pFBEWss7mKSqQtiKvwr8UIEeDg
Malware Config
Extracted
hancitor
1908_jkdsf
http://thookedaurce.com/8/forum.php
http://foolockpary.ru/8/forum.php
http://usitemithe.ru/8/forum.php
Signatures
-
Hancitor
Hancitor is downloader used to deliver other malware families.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4716 4808 WerFault.exe rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 4052 wrote to memory of 4808 4052 rundll32.exe rundll32.exe PID 4052 wrote to memory of 4808 4052 rundll32.exe rundll32.exe PID 4052 wrote to memory of 4808 4052 rundll32.exe rundll32.exe
Processes
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\28e594119e5081ef5504e241e4c72285.dll,#11⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4808 -s 6762⤵
- Program crash
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\28e594119e5081ef5504e241e4c72285.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4808 -ip 48081⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4808-0-0x0000000002250000-0x0000000002322000-memory.dmpFilesize
840KB
-
memory/4808-2-0x0000000002370000-0x000000000237A000-memory.dmpFilesize
40KB
-
memory/4808-1-0x0000000002350000-0x0000000002358000-memory.dmpFilesize
32KB
-
memory/4808-4-0x0000000002350000-0x0000000002358000-memory.dmpFilesize
32KB
-
memory/4808-3-0x0000000002250000-0x0000000002322000-memory.dmpFilesize
840KB